Cisco Urges Urgent Patching for a Critical RCE Flaw in Secure Firewalls

Cisco has issued an advisory regarding a critical vulnerability in the RADIUS subsystem of its Secure Firewall Management Center software. Tracked as CVE-2025-20265, the flaw has received the maximum CVSS score of 10.0. It allows a remote, unauthenticated attacker to send a specially crafted input during the login and password verification phase, ultimately achieving arbitrary command execution in the shell with full administrative privileges. The root cause lies in improper handling of user-supplied data during authentication.

Secure Firewall Management Center serves as the central management point for Cisco firewalls: through its web interface or via SSH, administrators configure devices, monitor their status, and deploy updates. RADIUS support is widely used as an external authentication method, particularly in enterprise and government networks where centralized login and auditing are essential. It is precisely in this configuration that the exploitation risk emerges.

The issue affects FMC versions 7.0.7 and 7.7.0 when RADIUS authentication is enabled—both for web access and SSH management. The flaw was discovered by Cisco security researcher Brandon Sakai. As of publication, there are no reports of active exploitation in the wild.

To address the vulnerability, Cisco has released free software updates, available to customers with active service contracts through standard distribution channels. If immediate patching is not possible, the company advises administrators to disable RADIUS and switch to alternative authentication methods such as local accounts, external LDAP, or SAML-based single sign-on. This workaround has been tested, though administrators are urged to verify its suitability in their environments and ensure no critical side effects.

Alongside this, Cisco also resolved 13 additional high-severity vulnerabilities across various products. These include:

• Denial of Service in Snort 3 (CVE-2025-20217)
• Crash when handling IPv6 over IPsec on Firepower 2100 devices (CVE-2025-20222)
• HTML injection in the FMC web interface (CVE-2025-20148)
• Remote Access VPN web server overload (CVE-2025-20244)
• SSL VPN flaws (CVE-2025-20133, CVE-2025-20243)
• Errors in SSL/TLS certificate handling (CVE-2025-20134)
• NAT DNS inspection crash (CVE-2025-20136)
• VPN web server vulnerability (CVE-2025-20251)
• IKEv2 issues in IOS, IOS XE, ASA, and Threat Defense (CVE-2025-20224, CVE-2025-20225)
• Web service overload (CVE-2025-20263)
• Denial of Service caused by TLS 1.3 cipher handling on Firepower 3100/4200 (CVE-2025-20127)

For most of these vulnerabilities, no workarounds exist. The sole exception is CVE-2025-20127, for which Cisco recommends disabling the faulty TLS 1.3 cipher. In all other cases, the universal guidance is clear: apply the latest updates without delay.